July 24, 2024

BitJackass Diary Part 4

Hacks of official websites and github profiles of cryptocurrency projects occur quite often, throughthat malicious code is spreading. As a result, a loss of cash. Redistributable software is often replaced. Usually an attack is carried out on one of the network nodes, then data is spoofed. There are several ways to protect against such an attack. A PGP signature is considered verified.

PGP signatures are proof thatdistributed files were signed by the owner of the signing key. For example, if https://electrum.org was hacked and the original files were replaced, signature verification would fail because the attacker would not be able to create valid signatures. 

We offer you a way to verify the PGP signature, using the Electrum wallet as an example.

This method can also be used to verify software signatures of other cryptocurrency projects.

1) Download and install the Kleopatra program (certificate manager and universal graphical interface to cryptographic algorithms)

Click Search on the server, enter Thomas Voegtlin fingerprint in the search bar

Known today as Fingerprint Thomas Voegtlin
6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
(Source: video on youtube https://www.youtube.com/watch?v=7D83IpdiF-U)

BitJackass Diary Part 4

2) Then we select the result and click the “Import” button, as a result, the list of certificates should look like this:

BitJackass Diary Part 4

3) Next, go to the link https://electrum.org/#download

4) Download the Electrum distribution and the signature file in one folder

The signature file can be downloaded as follows:

BitJackass Diary Part 4


5) We return to the Kleopatra program, click on the “Decrypt and Verify” tab, select the previously saved .asc signature file

We get the result:

BitJackass Diary Part 4

Test result (Thomas Voegtlin (https://electrum.org) <[email protected]> (2BD5 824B 7F94 70E6)) indicates that the file was signed with a PGP key with a fingerprint

6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6,

which belongs to one of the creators of Electrum - Thomas Voegtlin.

This means that the Electrum wallet installation file is genuine.

If the verification of the signature did not succeed, then you would see another message - “Invalid signature”. So, the Electrum installation file is compromised.

Best regards, BitJackass.